05-09-2013 01:34 AM - edited 03-11-2019 06:41 PM
I am very new to Cisco ASA and I am trying many days to implement the design below but still cannot get it done. The situation I am facing is
- a host (e.g. 192.168.5.10) under Inside interface can contact to outside without any problem.
- however a host outside (e.g. in VLAN1 or outside this network) cannot contact host under Inside interface. I am using PING test and always get Request Time Out.
Here is the configuration. Please advise how I can fix the problem.
Cryptochecksum: c45adab2 68cdf3f0 fbdfecfa 26341c1c
: Saved
: Written by sgtssea at 08:31:12.390 UTC Thu May 9 2013
!
ASA Version 8.4(4)1
!
hostname XXXXXXX
enable password CDA/4jRbBWA59Trl encrypted
passwd 0e53SZdxezxawxDG encrypted
names
!
interface Ethernet0/0
description "Link to XXXXXXX OFFICE Vlan"
!
interface Ethernet0/1
description "Link to XXXXXXX INDUSTRIAL Vlan"
switchport access vlan 30
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif outside
security-level 0
ip address 10.73.5.6 255.255.255.128
!
interface Vlan30
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Benteler
host 192.168.5.10
access-list OUTSIDE_IN_ACL extended permit icmp any any
access-list OUTSIDE_IN_ACL extended permit tcp any object Benteler eq 5900
access-list INSIDE_IN_ACL extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network Benteler
nat (inside,outside) static 10.73.5.130
access-group INSIDE_IN_ACL in interface inside
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 10.73.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.73.5.0 255.255.255.128 outside
http 10.90.147.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.90.147.0 255.255.255.0 outside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.91.127.146 source outside
webvpn
username sgtssea password MvCn9NnVvYbQDnDz encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c45adab268cdf3f0fbdfecfa26341c1c
: end
Solved! Go to Solution.
05-09-2013 09:55 PM
Hi,
What is the operating system on the host? Is it perhaps Windows 7?
I am not really an IT guy but to me it seems also possible that the actual OS firewall might still cause this.
For example consider this situation
When you first connect the Windows 7 device to a new network it asks you to define which network location it is. Depending on what you have defined as the location when you first connected the device to that network the OS might have different firewall rules for it.
So when the device is connected outside the ASA it might have totally different rules compared to the settings it has when it has been connected to the network behind the ASA.
The network connected might for example be listed as a Home or Public network. And the Home network might allow ICMP while if the new network connection (ASA) was chosen as Public network it might block the ICMP and any other connections.
If the problem is related to the ASA, I cant really see what the problem is. The "packet-tracer" already tells that the correct rules are hit and there doesnt seem to be anything wrong with the actual configurations. As the ASA allows the traffic FROM the host it seems to be working normally, though it seems you have only allowed ICMP.
- Jouni
05-09-2013 05:11 AM
Hello Rott,
To be new at this you have done a good job as the configuration of the ASA looks good, you have the NAT and ACL's configured properly:
object network Benteler
nat (inside,outside) static 10.73.5.130
!
access-list OUTSIDE_IN_ACL extended permit icmp any any
access-list OUTSIDE_IN_ACL extended permit tcp any object Benteler eq 5900
You need to know that not always the problem is on the ASA appliance so you need to create captures so you can check/verify if the packet its first at all getting to the ASA and second if that same packet is leaving the ASA with no problem.
Capture:
capture outside interface outside match icmp any host 10.73.5.130
capture inside interface inside match icmp any host 192.168.5.10
I am capturing traffic from anyone on the outside/inside going to your server, once you have those captures in place you can try a ping from the outside to 10.73.5.130 and issue the following command to see the captures:
show capture outside
show capture inside
You are more than welcome to share the results so we can see what is happening with the packet.
Regards,
Juan Lombana
Please rate helpful posts.
05-09-2013 05:39 AM
Hello Juan,
Thanks for your advice. I have captured the package like you suggest but the result is quite strange because there is no single package at inside interface.
#show capture OUTSIDE
4 packets captured
1: 12:33:59.497532 802.1Q vlan#1 P4 10.90.147.250 > 10.73.5.130: icmp: echo request
2: 12:34:04.081462 802.1Q vlan#1 P4 10.90.147.250 > 10.73.5.130: icmp: echo request
3: 12:34:09.028883 802.1Q vlan#1 P4 10.90.147.250 > 10.73.5.130: icmp: echo request
4: 12:34:14.055508 802.1Q vlan#1 P4 10.90.147.250 > 10.73.5.130: icmp: echo request
4 packets shown
#show capture INSIDE
0 packet captured
0 packet shown
05-09-2013 05:48 AM
Hello Rott,
Please share the following packet tracer:
packet-tracer input outside icmp 10.90.147.250 8 0 10.73.5.130
Also, if you can share the "show capture" command.
Regards,
Juan Lombana
Please rate helpful posts.
05-09-2013 06:06 AM
I think I will have to post the result of packet-tracer tomorrow because I just notice now that the test computer which is directly connected to Inside interface is off and now no one at the site to turn it on.
05-09-2013 07:46 PM
Here is the result for both packet capture and packet tracer. Please advise
# show capture OUTSIDE
4 packets captured
1: 02:38:36.537829 802.1Q vlan#1 P4 10.90.147.250 > 10.73.5.130: icmp: echo request
2: 02:38:41.348767 802.1Q vlan#1 P4 10.90.147.250 > 10.73.5.130: icmp: echo request
3: 02:38:46.437874 802.1Q vlan#1 P4 10.90.147.250 > 10.73.5.130: icmp: echo request
4: 02:38:51.348446 802.1Q vlan#1 P4 10.90.147.250 > 10.73.5.130: icmp: echo request
4 packets shown
------------------------------------------------------------------------------------------
# show capture INSIDE
4 packets captured
1: 02:38:36.538088 802.1Q vlan#30 P4 10.90.147.250 > 192.168.5.10: icmp: echo request
2: 02:38:41.349026 802.1Q vlan#30 P4 10.90.147.250 > 192.168.5.10: icmp: echo request
3: 02:38:46.438133 802.1Q vlan#30 P4 10.90.147.250 > 192.168.5.10: icmp: echo request
4: 02:38:51.348721 802.1Q vlan#30 P4 10.90.147.250 > 192.168.5.10: icmp: echo request
4 packets shown
------------------------------------------------------------------------------------------
# packet-tracer input outside icmp 10.90.147.250 8 0 10.73.5.130
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Benteler
nat (inside,outside) static 10.73.5.130
Additional Information:
NAT divert to egress interface inside
Untranslate 10.73.5.130/0 to 192.168.5.10/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_IN_ACL in interface outside
access-list OUTSIDE_IN_ACL extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Benteler
nat (inside,outside) static 10.73.5.130
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4270, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
------------------------------------------------------------------------------------------
# show capture
capture OUTSIDE type raw-data interface outside [Capturing - 438 bytes]
match icmp any host 10.73.5.130
capture INSIDE type raw-data interface inside [Capturing - 376 bytes]
match icmp any host 192.168.5.10
05-09-2013 08:00 PM
Hi,
Incase you want to configure a capture that both shows if Echo reply is leaving the inside interface towards the actual host and if the host is replying to the ICMP echo then try this
access-list ICMP-CAP permit icmp host 10.90.147.250 host 192.168.5.10
access-list ICMP-CAP permit icmp host 192.168.5.10 host 10.90.147.250
capture ICMP-CAP type raw-data access-list ICMP-CAP interface inside buffer 1000000
Then test the ICMP traffic and use the following command to confirm what is capture
show capture ICMP-CAP
You should see the echo reply messages if the host is replying to the ICMP. There is always a change that some local firewall prevents the host from replying to the ICMP from remote networks.
- Jouni
05-09-2013 08:36 PM
Hello Jouni,
Thanks for your advice, but I still cannot see the echo reply. What could be the reason?
access-list INSIDE_IN_ACL extended permit icmp any any
access-list ICMP-CAP extended permit icmp host 10.90.147.250 host 192.168.5.10
access-list ICMP-CAP extended permit icmp host 192.168.5.10 host 10.90.147.250
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
XXXXXXXX(config)# show capture ICMP-CAP
4 packets captured
1: 03:30:32.622755 802.1Q vlan#30 P4 10.90.147.250 > 192.168.5.10: icmp: echo request
2: 03:30:37.388194 802.1Q vlan#30 P4 10.90.147.250 > 192.168.5.10: icmp: echo request
3: 03:30:42.398798 802.1Q vlan#30 P4 10.90.147.250 > 192.168.5.10: icmp: echo request
4: 03:30:47.440925 802.1Q vlan#30 P4 10.90.147.250 > 192.168.5.10: icmp: echo request
4 packets shown
05-09-2013 08:45 PM
Hi,
I think earlier in this discussion you said the host behind the ASA can connect to networks outside the ASA?
If not, doublecheck the network settings of the host.
I would also recomend checking if there is some firewall software or windows related settings that is stopping it from replying to ICMP Echos.
If you have some additional device/computer to connect to the ASA Vlan30 I would suggest testing the ICMP with that device. Though in that case if you use the same internal IP remember to disconnect the actual host and after that do a "clear arp" on the ASA before testing.
There are occasion where I just cant get ICMP working on some computers even though it should be allowed on the actual host. So in those cases I tend to test with some TCP connection.
I cant see any problems with the ASA configurations and even the earlier "packet-tracer" confirms that everything is working and hitting the correct configurations/rules on the ASA.
So on that basis it seems that the problem is on the actual host.
- Jouni
05-09-2013 09:17 PM
Hi all,
1. I thought the problem might be related to the network settings on the host like default gateway but I have tested by pinging from the host to outside (e.g. 10.90.147.250) and ping is working perfectly. It seems that outgoing traffic from host to outside is working but incoming traffic is not working. This is not only happen to ICMP PING but also TCP 5900 (it is VNC - remote software).
2. I thought the problem might be related to the actual host like Windows Firewall or any other software;however after I disconnected the host from ASA and connected it to normal LAN, I can ping it without any problem. Also I even change the host connecting to ASA to a new PC but the the problem is still persisted. I think this can prove that it is not related to the host itself.
Regarding the current configuration, the host is connected directly to ASA interface.
Now I have no idea what should be the solution. Please help
05-09-2013 09:55 PM
Hi,
What is the operating system on the host? Is it perhaps Windows 7?
I am not really an IT guy but to me it seems also possible that the actual OS firewall might still cause this.
For example consider this situation
When you first connect the Windows 7 device to a new network it asks you to define which network location it is. Depending on what you have defined as the location when you first connected the device to that network the OS might have different firewall rules for it.
So when the device is connected outside the ASA it might have totally different rules compared to the settings it has when it has been connected to the network behind the ASA.
The network connected might for example be listed as a Home or Public network. And the Home network might allow ICMP while if the new network connection (ASA) was chosen as Public network it might block the ICMP and any other connections.
If the problem is related to the ASA, I cant really see what the problem is. The "packet-tracer" already tells that the correct rules are hit and there doesnt seem to be anything wrong with the actual configurations. As the ASA allows the traffic FROM the host it seems to be working normally, though it seems you have only allowed ICMP.
- Jouni
05-09-2013 11:39 PM
Hi Jouni,
Yes, you are right. It is Windows 7 but I have disabled Windows Firewall for active network, Home and Public.
Rott
05-10-2013 01:24 AM
Hi Jouni,
Thanks a lot for your investigation. I have found the root cause. It is the IPS software on the host and after I disable it. Everything is working.
Rott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide